Can Your Firewall Inspect Encrypted Traffic?

Can Your Firewall Inspect Encrypted Traffic?

Two-thirds of malware attacks are encrypted, driving the need for security tools that can detect these threats without performance lags.

More and more traffic traveling across the Internet is encrypted. According to the Internet Trends Report by venture capitalist Mary Meeker, 87 percent of web traffic was encrypted at the beginning of 2019, compared to 53 percent in 2016. Data from Netmarketshare shows that encrypted web traffic exceeded 90 percent by October 2019. A Google report puts the figure at 95 percent based upon the number of web pages using the HTTPS protocol loaded into its Chrome browser.

On the surface, this sounds like great news that should bring a collective sigh of relief from the IT security folks. Encrypted traffic translates to a smaller chance that sensitive data will be exposed to unauthorized parties.

Unfortunately, it’s not just the good guys who are using encryption. The bad guys are encrypting traffic to cover up their illicit activity. Attackers put malware in an encrypted file and deliver through an HTTPS web connection or even a virtual private network. Gartner has predicted that some type of encryption will be used in more than 70 percent of new malware campaigns in 2020.

Performance Problems

WatchGuard Technologies came to a similar conclusion in its Internet Security Report for Q1 2020. Based upon anonymized data collected from more than 44,000 WatchGuard security appliances participating in the research, the report shows that 67 percent of all malware in Q1 was delivered via encrypted HTTPS connections.

Problem is, traditional firewalls can’t inspect encrypted traffic, which means organizations using these firewalls are unable to detect and prevent two-thirds of incoming threats. Many next-generation firewalls (NGFWs) are capable of decrypting traffic so it can be inspected, but this can cause serious performance lags due to the complexity of the decryption process.

“Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option,” said Corey Nachreiner, chief technology officer at WatchGuard. “As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection.”

Eliminating Tradeoffs

The tradeoffs between performance and security create a conundrum for network administrators, who have been known to turn off security features due to performance problems. Clearly, this isn’t a good solution. Organizations need a firewall that can quickly and efficiently decrypt and inspect encrypted traffic so that they don’t have to make those tradeoffs.

WatchGuard firewalls, for example, use advanced Intel chipsets with crypto acceleration features to perform this function. As a result, third-party testing has shown that WatchGuard products consistently maintain high throughput when inspecting HTTPS traffic. For example, an independent test performed by Miercom found that the Firebox M370 outperformed competitive products while inspecting HTTPS traffic with full security services enabled.

But encrypted malware isn’t the only problem.  The WatchGuard Internet Security report also noted that 72 percent of encrypted malware is classified as zero day, meaning that no antivirus signature exists for it, and it will evade signature-based protections. These findings show that HTTPS inspection and advanced behavior-based threat detection and response solutions are now requirements for every security-conscious organization.

Detecting Malicious Activity

WatchGuard’s Threat Detection and Response (TDR) solution works in concert with traditional signature-based tools to identify behavioral anomalies and other suspicious characteristics that might indicate malicious activity. A key component is ThreatSync, a cloud-based correlation engine that collects event data in real time from WatchGuard security appliances, host sensors on endpoint devices, and cloud threat intelligence feeds. ThreatSync analyses this data to generate a threat score and initiate automatic malware response tactics.

When ThreatSync classifies a file as potentially malicious, the suspicious file is uploaded to a cloud-based sandbox that emulates a physical endpoint in a controlled environment. Here, APT Blocker executes the file to observe its behavior and unique characteristics. Once the analysis is complete, the results are relayed to ThreatSync, which then updates the threat score and enables automated remediation.

All organizations need to ask a simple question: Is our firewall capable of efficiently inspecting encrypted traffic and detecting zero-day threats? If not, the risk of exposure will continue to grow exponentially. A firewall capable of inspecting encrypted traffic and analyzing suspicious behavior has become an essential component of a robust security strategy.